Mark Berry December 21, 2010
I’m enjoying my new Samsung Captivate, still running Android 2.1 (c’mon, AT&T, let’s see 2.2!). But I’ve found that Android doesn’t trust the SSL certificate I installed from StartSSL. No problem, I just need to add that to the list of trusted certificates, right? Not so fast.
It seems that Android has gotten to version 2.2. without implementing a user-editable certificate store. Even figuring that out was a challenge: it’s mostly a matter of wading through Android bug reports. Here are are few references; in the bug reports, click on the star at the bottom, above the comment box, to be notified of updates:
Here’s a StackOverflow question on how to install a cert manually.
Importing CACert root certificates into Android. Looks like this procedure is for Unix users.
StartCom Root CA trusted as of Android 2.2. Issue 5657; see comment 24.
List of trusted Certification Authorities as of September 9, 2010. Issue 10985; see comment 11. That comment says the current source code should be here, but I get a 500 error on that page It looks like it is here now. There is one file per certificate. A Java script named certimport.sh “recreates the cacerts.bks file from the x509 CA certificates in the cacerts directory.” Somewhere I read that cacerts.bks winds up on the phone as /etc/security/cacerts.bks, but I don’t have access to that . (The fact that the certs are hard-coded in source code is of course the main problem.)
Long bug thread about editing CA certs: Issue 6207; see comment 48 about why it was closed unsolved. Also a brief note that the Android certificate installer available from the Settings > Location and security > Credential storage user interface only affects the VPN; certificates installed there are not used by the browser, email client, or third-party applications.
Site for creating a cert to use with WiFi: http://www.realmb.com/droidCert.
Some SSL issues are really issues with intermediate certificates: Issue 1946. Comment 21 says there may be some improvements (in 2.2?) to handle out-of-order certificates. This site tests certificates: http://www.ssltest.net.
Android 2.1 and 2.2 allow you to import certificates, but only for use with WiFi and VPN. There is no user interface for updating the list of trusted root certificates, but there is discussion about adding that feature. It’s unclear whether there is a reliable workaround for manually updating and replacing the cacerts.bks file.